Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / b59c201604d0a6a3df483369869ac8d667b6e2bb / . / public / domain_deprecated.te
blob: 0a39b96cba6014fcaf27a0fb02e79b5a7190b6f0 [file] [log] [blame]
Jeff Vander Stoepd22987b2015-11-03 09:54:39 -0800[diff] [blame]1# rules removed from the domain attribute
Jeff Vander Stoep6e3506e2015-11-05 15:24:22 -0800[diff] [blame]2
Jeff Vander Stoep6e3506e2015-11-05 15:24:22 -0800[diff] [blame]3# Search /storage/emulated tmpfs mount.
4allow domain_deprecated tmpfs:dir r_dir_perms;
Nick Kralevichb59c2012017-02-10 12:06:46 -0800[diff] [blame^]5auditallow {
6 domain_deprecated
7 -appdomain
8 -sdcardd
9 -surfaceflinger
10 -system_server
11 -vold
12 -zygote
13} tmpfs:dir r_dir_perms;
Jeff Vander Stoep6e3506e2015-11-05 15:24:22 -0800[diff] [blame]14
15# Inherit or receive open files from others.
16allow domain_deprecated system_server:fd use;
Jeff Vander Stoep3a0721a2016-10-01 05:26:15 -0700[diff] [blame]17auditallow { domain_deprecated -appdomain -netd -surfaceflinger } system_server:fd use;
Jeff Vander Stoep6e3506e2015-11-05 15:24:22 -0800[diff] [blame]18
19# Connect to adbd and use a socket transferred from it.
20# This is used for e.g. adb backup/restore.
Jeff Vander Stoep6e3506e2015-11-05 15:24:22 -0800[diff] [blame]21allow domain_deprecated adbd:fd use;
Jeff Vander Stoep7ef80732016-09-09 16:27:17 -0700[diff] [blame]22auditallow { domain_deprecated -appdomain -system_server } adbd:fd use;
Jeff Vander Stoep6e3506e2015-11-05 15:24:22 -0800[diff] [blame]23
24# Root fs.
25allow domain_deprecated rootfs:dir r_dir_perms;
26allow domain_deprecated rootfs:file r_file_perms;
27allow domain_deprecated rootfs:lnk_file r_file_perms;
Jeff Vander Stoepa1b45602017-02-10 09:39:37 -0800[diff] [blame]28auditallow {
29 domain_deprecated
30 -fsck
31 -healthd
Jeff Vander Stoepa1b45602017-02-10 09:39:37 -0800[diff] [blame]32 -installd
33 -servicemanager
34 -system_server
35 -ueventd
36 -uncrypt
37 -vold
38 -zygote
39} rootfs:dir { open getattr read ioctl lock }; # search granted in domain
Nick Kralevichb59c2012017-02-10 12:06:46 -0800[diff] [blame^]40auditallow {
41 domain_deprecated
42 -healthd
43 -installd
44 -servicemanager
45 -system_server
46 -ueventd
47 -uncrypt
48 -vold
49 -zygote
50} rootfs:file r_file_perms;
51auditallow {
52 domain_deprecated
53 -appdomain
54 -healthd
55 -installd
56 -servicemanager
57 -system_server
58 -ueventd
59 -uncrypt
60 -vold
61 -zygote
62} rootfs:lnk_file { getattr open ioctl lock }; # read granted in domain
Jeff Vander Stoep6e3506e2015-11-05 15:24:22 -0800[diff] [blame]63
Jeff Vander Stoep6e3506e2015-11-05 15:24:22 -0800[diff] [blame]64# System file accesses.
65allow domain_deprecated system_file:dir r_dir_perms;
66allow domain_deprecated system_file:file r_file_perms;
Nick Kralevich68f23362016-11-07 16:14:28 -0800[diff] [blame]67auditallow {
68 domain_deprecated
69 -appdomain
Nick Kralevich49e35882016-11-25 18:00:38 -0800[diff] [blame]70 -fingerprintd
Nick Kralevich68f23362016-11-07 16:14:28 -0800[diff] [blame]71 -installd
Jeff Vander Stoepa1b45602017-02-10 09:39:37 -0800[diff] [blame]72 -keystore
Nick Kralevich68f23362016-11-07 16:14:28 -0800[diff] [blame]73 -rild
74 -surfaceflinger
75 -system_server
Jeff Vander Stoepa1b45602017-02-10 09:39:37 -0800[diff] [blame]76 -update_engine
77 -vold
Nick Kralevich68f23362016-11-07 16:14:28 -0800[diff] [blame]78 -zygote
79} system_file:dir { open read ioctl lock }; # search getattr in domain
80auditallow {
81 domain_deprecated
82 -appdomain
Nick Kralevich68f23362016-11-07 16:14:28 -0800[diff] [blame]83 -rild
84 -surfaceflinger
85 -system_server
86 -zygote
87} system_file:file { ioctl lock }; # read open getattr in domain
Jeff Vander Stoep6e3506e2015-11-05 15:24:22 -0800[diff] [blame]88
89# Read files already opened under /data.
Jeff Vander Stoep6e3506e2015-11-05 15:24:22 -0800[diff] [blame]90allow domain_deprecated system_data_file:file { getattr read };
91allow domain_deprecated system_data_file:lnk_file r_file_perms;
Nick Kralevichb59c2012017-02-10 12:06:46 -0800[diff] [blame^]92auditallow {
93 domain_deprecated
94 -appdomain
95 -sdcardd
96 -system_server
97 -tee
98} system_data_file:file { getattr read };
99auditallow {
100 domain_deprecated
101 -appdomain
102 -system_server
103 -tee
104} system_data_file:lnk_file r_file_perms;
Jeff Vander Stoep6e3506e2015-11-05 15:24:22 -0800[diff] [blame]105
106# Read apk files under /data/app.
107allow domain_deprecated apk_data_file:dir { getattr search };
108allow domain_deprecated apk_data_file:file r_file_perms;
109allow domain_deprecated apk_data_file:lnk_file r_file_perms;
Nick Kralevichb59c2012017-02-10 12:06:46 -0800[diff] [blame^]110auditallow {
111 domain_deprecated
112 -appdomain
113 -dex2oat
114 -installd
115 -system_server
116} apk_data_file:dir { getattr search };
117auditallow {
118 domain_deprecated
119 -appdomain
120 -dex2oat
121 -installd
122 -system_server
123} apk_data_file:file r_file_perms;
124auditallow {
125 domain_deprecated
126 -appdomain
127 -dex2oat
128 -installd
129 -system_server
130} apk_data_file:lnk_file r_file_perms;
Jeff Vander Stoep6e3506e2015-11-05 15:24:22 -0800[diff] [blame]131
Jeff Vander Stoep6e3506e2015-11-05 15:24:22 -0800[diff] [blame]132# Read already opened /cache files.
Nick Kralevichd5464732016-01-16 08:15:52 -0800[diff] [blame]133allow domain_deprecated cache_file:dir r_dir_perms;
134allow domain_deprecated cache_file:file { getattr read };
Nick Kralevichdc37ea72016-01-07 12:56:54 -0800[diff] [blame]135allow domain_deprecated cache_file:lnk_file r_file_perms;
Nick Kralevichb59c2012017-02-10 12:06:46 -0800[diff] [blame^]136auditallow {
137 domain_deprecated
138 -system_server
139 -vold
140} cache_file:dir { open read search ioctl lock };
141auditallow {
142 domain_deprecated
143 -appdomain
144 -system_server
145 -vold
146} cache_file:dir getattr;
147auditallow {
148 domain_deprecated
149 -system_server
150 -vold
151} cache_file:file { getattr read };
152auditallow {
153 domain_deprecated
154 -system_server
155 -vold
156} cache_file:lnk_file r_file_perms;
Felipe Leme549ccf72015-12-22 12:37:17 -0800[diff] [blame]157
Jeff Vander Stoep6e3506e2015-11-05 15:24:22 -0800[diff] [blame]158#Allow access to ion memory allocation device
159allow domain_deprecated ion_device:chr_file rw_file_perms;
Jeff Vander Stoep7ef80732016-09-09 16:27:17 -0700[diff] [blame]160# split this auditallow into read and write perms since most domains seem to
161# only require read
Jeff Vander Stoep24ad5142016-10-01 20:47:01 -0700[diff] [blame]162auditallow { domain_deprecated -appdomain -fingerprintd -keystore -surfaceflinger -system_server -tee -vold -zygote } ion_device:chr_file r_file_perms;
Jeff Vander Stoep7ef80732016-09-09 16:27:17 -0700[diff] [blame]163auditallow domain_deprecated ion_device:chr_file { write append };
Jeff Vander Stoep6e3506e2015-11-05 15:24:22 -0800[diff] [blame]164
165# Read access to pseudo filesystems.
166r_dir_file(domain_deprecated, proc)
Jeff Vander Stoepa2c40552016-09-13 11:03:36 -0700[diff] [blame]167r_dir_file(domain_deprecated, sysfs)
Jeff Vander Stoep6e3506e2015-11-05 15:24:22 -0800[diff] [blame]168r_dir_file(domain_deprecated, cgroup)
Nick Kralevich7a35c132016-03-31 14:11:50 -0700[diff] [blame]169allow domain_deprecated proc_meminfo:file r_file_perms;
Jeff Vander Stoep7ef80732016-09-09 16:27:17 -0700[diff] [blame]170#auditallow domain_deprecated proc:dir r_dir_perms; # r_dir_perms granted in domain
Jeff Vander Stoepa1b45602017-02-10 09:39:37 -0800[diff] [blame]171auditallow {
172 domain_deprecated
173 -fsck
174 -fsck_untrusted
Jeff Vander Stoepa1b45602017-02-10 09:39:37 -0800[diff] [blame]175 -rild
176 -sdcardd
177 -system_server
178 -update_engine
179 -vold
180} proc:file r_file_perms;
Nick Kralevichb59c2012017-02-10 12:06:46 -0800[diff] [blame^]181auditallow {
182 domain_deprecated
183 -fsck
184 -fsck_untrusted
185 -rild
186 -system_server
187 -vold
188} proc:lnk_file { open ioctl lock }; # getattr read granted in domain
189auditallow {
190 domain_deprecated
191 -bluetooth
192 -fingerprintd
193 -healthd
194 -netd
195 -rild
196 -system_app
197 -surfaceflinger
198 -system_server
199 -tee
200 -ueventd
201 -vold
202 -wpa
203} sysfs:dir { open getattr read ioctl lock }; # search granted in domain
204auditallow {
205 domain_deprecated
206 -bluetooth
207 -fingerprintd
208 -healthd
209 -netd
210 -rild
211 -system_app
212 -surfaceflinger
213 -system_server
214 -tee
215 -ueventd
216 -vold
217 -wpa
218} sysfs:file r_file_perms;
219auditallow {
220 domain_deprecated
221 -bluetooth
222 -fingerprintd
223 -healthd
224 -netd
225 -rild
226 -system_app
227 -surfaceflinger
228 -system_server
229 -tee
230 -ueventd
231 -vold
232 -wpa
233} sysfs:lnk_file { getattr open ioctl lock }; # read granted in domain
Nick Kralevich2c8ea362016-10-29 08:07:12 -0700[diff] [blame]234auditallow {
235 domain_deprecated
236 -appdomain
237 -dumpstate
238 -fingerprintd
239 -healthd
Nick Kralevich2c8ea362016-10-29 08:07:12 -0700[diff] [blame]240 -inputflinger
241 -installd
242 -keystore
243 -netd
244 -rild
245 -surfaceflinger
246 -system_server
247 -zygote
248} cgroup:dir r_dir_perms;
249auditallow {
250 domain_deprecated
251 -appdomain
252 -dumpstate
253 -fingerprintd
254 -healthd
Nick Kralevich2c8ea362016-10-29 08:07:12 -0700[diff] [blame]255 -inputflinger
256 -installd
257 -keystore
258 -netd
259 -rild
260 -surfaceflinger
261 -system_server
262 -zygote
263} cgroup:{ file lnk_file } r_file_perms;
Nick Kralevichb59c2012017-02-10 12:06:46 -0800[diff] [blame^]264auditallow {
265 domain_deprecated
266 -appdomain
267 -surfaceflinger
268 -system_server
269 -vold
270} proc_meminfo:file r_file_perms;
Jeff Vander Stoep6e3506e2015-11-05 15:24:22 -0800[diff] [blame]271
Jeff Vander Stoep6e3506e2015-11-05 15:24:22 -0800[diff] [blame]272# Get SELinux enforcing status.
273allow domain_deprecated selinuxfs:dir r_dir_perms;
274allow domain_deprecated selinuxfs:file r_file_perms;
Nick Kralevichb59c2012017-02-10 12:06:46 -0800[diff] [blame^]275auditallow {
276 domain_deprecated
277 -appdomain
278 -installd
279 -keystore
280 -postinstall_dexopt
281 -runas
282 -servicemanager
283 -system_server
284 -ueventd
285 -zygote
286} selinuxfs:dir { open getattr read ioctl lock }; # search granted in domain
287auditallow {
288 domain_deprecated
289 -appdomain
290 -installd
291 -keystore
292 -postinstall_dexopt
293 -runas
294 -servicemanager
295 -system_server
296 -ueventd
297 -zygote
298} selinuxfs:file { open read ioctl lock }; # getattr granted in domain